cURL / Mailing Lists / curl-users / Single Mail


Important note for curl users on OS X Mavericks 10.9

From: Nick Zitzmann <>
Date: Tue, 22 Oct 2013 18:15:23 -0500

Hi all! If you're reading this, I'm guessing either you're subscribed to this list, or you just upgraded to Mavericks and you use Apple's curl and you noticed something that used to work doesn't and you're searching with Google/DuckDuckGo/etc. for information on what happened.

Well, if you're in the latter category: In Mavericks, Apple changed from curl 7.24.0 to 7.30.0, and in the process, they switched the TLS/SSL engine used by their curl, from OpenSSL to their own Secure Transport engine. Apple's OpenSSL is still at version 0.9.8 and I doubt they will ever upgrade it, so this change improves curl's security. This is because the new engine supports TLS 1.1 and 1.2, and many new-ish cipher suites not supported by that old version of OpenSSL. However, a few behaviors changed in curl:

1. The -2/--sslv2 option no longer works because Apple discontinued support for SSLv2 back in Mountain Lion. I doubt this affects many of you, but if you absolutely need to use curl to access a very old Web server that is too old to support SSLv3, then you need to download the curl source code and build your own curl against OpenSSL instead.

2. Unless Apple changed curl's code behind my back, the --cacert option no longer works. This is because the new engine reads its certificates from a security database (the Keychain) instead of from certificate files. If you were using this option to allow curl to access a server with a self-signed certificate, then you need to do one of the following instead:

2a. Import the certificate into the system ("System") or user ("login") keychain using Keychain Access and mark it as always trusted for SSL and X.509 basic policy. (It has to be placed in your user or the system keychain. Don't touch X509Anchors. That database is for Apple's use only.)
2b. Use "security add-trusted-cert" from the command line on the PEM or DER-encoded certificate. See the security man page for details.
2c. Visit the site in Safari, and when you're asked about the site's certificate, choose to proceed and always trust the certificate. (You must use Safari for this; Firefox and Chrome don't use the Keychain for certificates.)

3. The --crlfile option is ignored, because the engine now handles OCSP and CRL checks automatically. Or at least it will, if the user account was created in Lion or later. The rest of you can turn this on in the Keychain Access preferences.

4. The -E/--cert option also broke. Sorry, but at the time I didn't have cryptographic authentication implemented in curl. If you download the latest curl version and build it yourself, then this feature will work once again with either identities in the Keychain or identity files in P12 format. (Sadly, I can't get this to work with PEM or DER certificates because of a missing API in the Security framework.)

5. The --ciphers option is also ignored. The good news is I programmatically turned off support for insecure ciphers, and the engine prioritizes strong ciphers over problematic ones, so I doubt this will be a big problem for anyone.

I think that's it. Other than --cacert I doubt these changes will affect anyone, but I thought I'd let you all know...

Nick Zitzmann

List admin:
Received on 2013-10-23